3 files changed, 52 insertions, 6 deletions

diff --git a/openssl/trunk/crypto/x509v3/v3_addr.c b/openssl/trunk/crypto/x509v3/v3_addr.c
index 70911805..78f60ed4 100644
--- a/openssl/trunk/crypto/x509v3/v3_addr.c
+++ b/openssl/trunk/crypto/x509v3/v3_addr.c
@@ -999,7 +999,7 @@ X509V3_EXT_METHOD v3_addr = {
 /*
  * Figure out whether extension sues inheritance.
  */
-static int addr_inherits(IPAddrBlocks *addr)
+int v3_addr_inherits(IPAddrBlocks *addr)
 {
   int i;
   if (addr == NULL)
@@ -1012,7 +1012,6 @@ static int addr_inherits(IPAddrBlocks *addr)
   return 0;
 }
 
-
 /*
  * Figure out whether parent contains child.
  */
@@ -1050,6 +1049,29 @@ static int addr_contains(IPAddressOrRanges *parent,
 }
 
 /*
+ * Test whether a is a subset of b.
+ */
+int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
+{
+  int i;
+  if (a == NULL || a == b)
+    return 1;
+  if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b))
+    return 0;
+  sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
+  for (i = 0; i < sk_IPAddressFamily_num(a); i++) {
+    IPAddressFamily *fa = sk_IPAddressFamily_value(a, i);
+    int j = sk_IPAddressFamily_find(b, fa);
+    IPAddressFamily *fb = sk_IPAddressFamily_value(b, j);
+    if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges, 
+		       fa->ipAddressChoice->u.addressesOrRanges,
+		       length_from_afi(afi_from_addressfamily(fb))))
+      return 0;
+  }
+  return 1;
+}
+
+/*
  * Validation error handling via callback.
  */
 #define validation_err(_err_)		\
@@ -1186,7 +1208,7 @@ int v3_addr_validate_resource_set(STACK_OF(X509) *chain,
     return 1;
   if (chain == NULL || sk_X509_num(chain) == 0)
     return 0;
-  if (!allow_inheritance && addr_inherits(ext))
+  if (!allow_inheritance && v3_addr_inherits(ext))
     return 0;
   return v3_addr_validate_path_internal(NULL, chain, ext);
 }
diff --git a/openssl/trunk/crypto/x509v3/v3_asid.c b/openssl/trunk/crypto/x509v3/v3_asid.c
index 79dd262b..70bd5581 100644
--- a/openssl/trunk/crypto/x509v3/v3_asid.c
+++ b/openssl/trunk/crypto/x509v3/v3_asid.c
@@ -563,7 +563,7 @@ X509V3_EXT_METHOD v3_asid = {
 /*
  * Figure out whether extension uses inheritance.
  */
-static int asid_inherits(ASIdentifiers *asid)
+int v3_asid_inherits(ASIdentifiers *asid)
 {
   return (asid != NULL &&
 	  ((asid->asnum != NULL &&
@@ -604,6 +604,22 @@ static int asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child)
 }
 
 /*
+ * Test whether a is a subet of b.
+ */
+int v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b)
+{
+  return (a == NULL ||
+	  a == b ||
+	  (b != NULL &&
+	   !v3_asid_inherits(a) &&
+	   !v3_asid_inherits(b) &&
+	   asid_contains(b->asnum->u.asIdsOrRanges,
+			 a->asnum->u.asIdsOrRanges) &&
+	   asid_contains(b->rdi->u.asIdsOrRanges,
+			 a->rdi->u.asIdsOrRanges)));
+}
+
+/*
  * Validation error handling via callback.
  */
 #define validation_err(_err_)		\
@@ -756,7 +772,7 @@ int v3_asid_validate_resource_set(STACK_OF(X509) *chain,
     return 1;
   if (chain == NULL || sk_X509_num(chain) == 0)
     return 0;
-  if (!allow_inheritance && asid_inherits(ext))
+  if (!allow_inheritance && v3_asid_inherits(ext))
     return 0;
   return v3_asid_validate_path_internal(NULL, chain, ext);
 }
diff --git a/openssl/trunk/crypto/x509v3/x509v3.h b/openssl/trunk/crypto/x509v3/x509v3.h
index ea5d3f6e..fc0570b2 100644
--- a/openssl/trunk/crypto/x509v3/x509v3.h
+++ b/openssl/trunk/crypto/x509v3/x509v3.h
@@ -734,7 +734,15 @@ int v3_asid_canonize(ASIdentifiers *asid);
 int v3_addr_canonize(IPAddrBlocks *addr);
 
 /*
- * Check whether RFC 3779 extensions nest properly.
+ * Tests for inheritance and containment.
+ */
+int v3_asid_inherits(ASIdentifiers *asid);
+int v3_addr_inherits(IPAddrBlocks *addr);
+int v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b);
+int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b);
+
+/*
+ * Check whether RFC 3779 extensions nest properly in chains.
  */
 int v3_asid_validate_path(X509_STORE_CTX *);
 int v3_addr_validate_path(X509_STORE_CTX *);